Pink’s fake help desk calls show how one phone call can crack enterprise security

Pink is the latest extortion brand to do something embarrassingly effective: call the help desk, sound official, and walk out with access credentials. Palo Alto Networks' Unit 42 says the group, which it tracks as cluster CL-CRI-1147, is using voice phishing and fake help-desk calls to gain initial access to organizations' IT environments, steal sensitive data, and then threaten to leak it unless the victim pays. The group's data-leak site went live on May 31, and it sets a 72-hour deadline for victims to respond before it publishes the stolen material. In plain English, this is not a malware magic trick. It is identity theft with a phone line, then extortion with a stopwatch.

The most interesting part is that Pink may not even be new. Google Threat Intelligence is not sure the brand represents a fresh criminal outfit at all. Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, said, "After retiring the BlackFile brand in May 2026, we assess the group launched the 'Redact' brand and has now potentially surfaced as 'Pink,,'" and added that the operation shows hallmarks of UNC6671, including similar credential-harvesting infrastructure, a data leak site, and recurring messaging that claims to "improve the security" of victims who pay. Google also says the Pink domains recently published by Unit 42 can be attributed to UNC6671. So whether this is a new gang or just a new coat of paint, the commercial logic is the same: pressure a company, take its data, and try to turn panic into cash.

That playbook should sound familiar because it has been used again and again. Lapsus$, the chaotic crime crew behind extortion campaigns that hit Nvidia, Microsoft, and Okta in 2021 and 2022, helped popularize the technique of phone-based intrusions. Scattered Spider later picked up the mantle and became best known for the 2023 Las Vegas casino digital heists, reportedly bragging that all it took to break into MGM's networks was a 10-minute call with the help desk. ShinyHunters has also used the same approach to steal sensitive data from Ticketmaster, AT&T, other Salesforce customers, and thousands of schools and universities using Canvas' digital learning platform. The point for security leaders is uncomfortable but clear: multi-factor authentication is not a force field if an attacker can socially engineer the person or team that resets it.

Unit 42 says the latest cluster is likely a Com-affiliated actor, which matters because many incident responders, including Google’s Mandiant and Unit 42, link a lot of these criminal collectives to The Com. That is a loosely knit network of primarily English speakers made up of interconnected groups of hackers, SIM swappers, and extortionists, with some subgroups even offering real-life violent crime for hire. The repeated arrests across these gangs have not stopped the behavior from coming back, which is exactly why the issue keeps showing up on board agendas. Executives do not just have to worry about an intrusion. They have to worry about a repeatable business model that keeps surviving law enforcement pressure, brand changes, and takedowns.

Unit 42 says that on June 1, 2026, an existing extortion negotiation that had never received a response, and was attributed to a likely Com-related cluster, suddenly got new communication from a threat actor using a free webmail account. The actor sent a new qTox ID and a leak site associated with the Pink brand, but referenced exfiltrating almost identical information from the original extortion notice. That is a useful detail for defenders because it suggests continuity across branding changes and gives incident responders a way to connect the dots when the criminals try to obscure them. The group also reuses second-level domains to target multiple organizations, while the third-level domain typically thematically represents the target, another operational clue that can help threat hunters spot patterns before a breach turns into a public leak.

The mechanics of the attack are straightforward and very modern. After gaining access to a victim's account, the criminals search for valuable corporate and customer data in places like SharePoint and OneDrive, then use compromised victim accounts and internal Teams messages to extort the company. Unit 42 says Pink attackers observed included phishing domains passkeyadd[.]com, passkeydeploy[.]com, and deploypasskey[.]com, along with IP addresses 185[.]178.208[.]153 for hosted phishing domains, 172[.]93.100[.]252 for accessed compromised accounts, and 96[.]232.20[.]66, a residential proxy IP responsible for extortion email creation. It also observed user-agent strings Microsoft.Graph.Client/5.62.0, python-requests/2.28.1, and python-requests/2.33.1 during data exfiltration. Those are the breadcrumbs defenders use to hunt, contain, and prove what happened.

For anyone running IT, security, or risk, the strategic lesson is not subtle. Help desks are now a frontline security control, whether they want the job or not. Any process that can reset credentials, approve MFA, or grant access to cloud collaboration tools has become a target for criminals who are patient enough to impersonate an employee, sound like support staff, or claim to be rolling out a mandatory MFA update or other emergency. That is why the source's final warning matters: be very wary of help desk calls from people claiming to be employees locked out of corporate accounts and from those posing as support staff. In this game, the attacker only needs one convincing conversation. The company then gets to spend weeks explaining how a phone call turned into a breach, a leak site, and a very expensive lesson in identity trust.